Analysing Google’s evolving policies for kids app developers

Last week Google announced an important revamp of its policies for Play Store apps that are used by children.  With these changes, Google is addressing many of the concerns voiced in recent years by parents, regulators and advocates about the safety of apps that are marketed to kids.

Summary
The new Google policy requires apps whose primary audience is kids—or which are marketed to kids or appealing to kids—to specify their target age range and to join the Designed for Families (DFF) program.  Apps that serve both kids and adults must use an age gate to identify their kids audience, in order to treat them in compliance with the DFF program.

DFF apps can only monetise with ad networks that have self-certified that they:

  • respect the Tag-for-child-directed (TFCD) parameter—aka the ‘COPPA flag’—on a per-app or per-request basis, e.g. they can switch off interest-based advertising and restrict personal data collection;
  • are able to categorise and tag their ad creatives by age, with minimum buckets being Adult and Everyone; and,  
  • agree to let Google verify the above.

The new policy goes into effect immediately for all new apps and will be enforced for existing apps from September 1st. This change complements other less-well-publicized kids-related policies, namely:

  • Presumably in response to criticism around gambling-style mechanics, app developers must now disclose the odds of receiving items in so-called loot boxes. (Apple made this change in their developer policies a few years ago).
  • Kids’ apps may not use APIs or SDKs whose terms of service prohibit their use in child-directed apps, unless they are specifically configured to not collect personal information from children.
  • Apps must trigger a safety warning before activating any augmented reality experience, and apps for kids may not require using a device that is not advised for children, like the Oculus VR headset.

Impact
The biggest impact will be on many apps that are currently outside the DFF but have children as an audience.  These will need to either age gate (if they don’t do so already) or stop promoting themselves to kids. Google has made clear they will proactively review apps for compliance with this provision.  Those that refuse to age gate but are still deemed appealing to kids will be forced to carry a label that says they are not suitable for kids.

Another consequence is that all DFF publishers and age-gated publishers will now review their monetisation partnerships to ensure they are working only with certified ad networks.  For some publishers—who work with multiple networks or have built their own complex mediation stacks to maximise ad revenue—this will lead to a cull of noncompliant ad partners.

Analysis and recommendations
Google is to be commended for improving kid safety in its Play store (we’re one of their partners), tackling one of the largest sources of kids’ personal data leakage.  The changes help enforce the requirements of COPPA and GDPR-K, make it easier for publishers to be compliant, and set a standard that should be best practice around the world.

While Google has taken an important step in the right direction, there are four main improvements which would shift this strategy from being essentially an updated adult policy to being a designed-for kids strategy (with higher levels of safety for kids and more support for publishers):

  1. Put in place a compliance review process for the ad networks that have self-certified.  Each of these vendors has always had an obligation to comply with COPPA, so the current policy effectively just asks them to confirm they do so, whilst leaving publishers with the risk (and likely liability) if they do not.  
  2. Move beyond enforcing a flawed compliance mechanism.  As we have seen across numerous enforcement cases, the ‘COPPA flag’ is not effective in protecting children. It does not actually stop personal data being transmitted; it only marks that data as relating to a child.  The only way to guarantee COPPA compliance (and kid safety) is to strip kids’ personal data from ad requests at source. Google could require publishers and/or ad partners to use kidtech designed for that purpose.  
  3. The self-certification scheme currently only applies to ad networks.  Publishers are still solely responsible for ensuring that any other SDKs or APIs (analytics, sharing, etc) are compliant with COPPA and any other applicable data privacy law.  We recommend that Google extend the program to include other essential publisher tools as soon as possible.
  4. Endorse the kidtech standard and formally support the technology which has been deliberately designed for the privacy and safety requirements of the kids ecosystem

Google is trying to make the enormous number of kids’ apps in the Play Store safer, which is obviously good. This is the beginning of a wider awakening among the large technology companies as they begin to grapple with the sheer number of children who are now using their services.